Sh... IoT just got real: Mirai botnet attacks targeting multiple ISPs

Now ZyXEL and D-Link routers from Post Office and TalkTalk under siege

Analysis The Mirai botnet has struck again, with hundreds of thousands of TalkTalk and Post Office broadband customers affected. The two ISPs join a growing casualty list from a wave of assaults that have also affected customers at Deutsche Telekom, KCOM and Irish telco Eir over the last two weeks or so.

Problems at the Post Office began on Sunday, while TalkTalk was hit yesterday; collectively this has affected hundreds of thousands of surfers. Similar attacks against thousands of KCOM broadband users around Hull that started about the same time targeted users of telco-supplied routers. Thousands of punters at the smaller ISP were left without a reliable internet connection as a result of the assault, which targeted routers from Taiwanese manufacturer ZyXEL.

KCOM told El Reg that Mirai was behind the assault on its broadband customers, adding that: "ZyXEL has developed a software update for the affected routers that will address the vulnerability." The timing and nature of this patch remains unclear.

ZyXEL told El Reg that the problem stemmed from malicious exploitation of the maintenance interface (port 7547) on its kit, which it was in the process of locking down.

With malicious practice in place, unauthorised users could access or alter the device's LAN configuration from the WAN-side using TR-064 protocol.

ZyXEL is aware of the issue and assures customers that we are handling the issue with top priority. We have conducted a thorough investigation and found that the root cause of this issue lies with one of our chipset providers, Econet, with chipsets RT63365 and MT7505 with SDK version #7.3.37.6 and #7.3.119.1 v002 respectively.

Last week a widespread attack on the maintenance interfaces of broadband routers affected the telephony, television, and internet service of about 900,000 Deutsche Telekom customers in Germany. Other victims include customers of Irish ISP Eir where ZyXEL-supplied kit was the target.

The Post Office confirmed that around "100,000 of our customers" have been affected and that the attack had hit "customers with a ZyXEL router".

ZyXEL routers are not a factor in the TalkTalk case, where routers made by D-Link are under the hammer. TalkTalk confirmed that the Mirai botnet was behind the attack against its customers, adding in the same statement that a fix was being rolled out.

Along with other ISPs in the UK and abroad, we are taking steps to review the potential impacts of the Mirai worm. A small number of customer routers have been affected, and we have deployed additional network-level controls to further protect our customers.

We do believe this has been caused by the Mirai worm – we can confirm that a fix is now in place, and all affected customers can reconnect to the internet. Only a small number of our customers have the router (a D-Link router) that was at risk of this vulnerability, and only a small number of those experienced connection issues.

The Post Office is similarly promising its customers that a fix is in the works.

Post Office can confirm that on 27 November a third party disrupted the services of its broadband customers, which impacted certain types of routers. Although this did result in service problems we would like to reassure customers that no personal data or devices have been compromised. We have identified the source of the problem and implemented a resolution which is currently being rolled out to all customers.

It's unclear who is responsible for the growing string of attacks on ISP customers across Europe or their motives. The mechanism of the attack is, however, all too clear. Hackers are using the infamous Mirai malware or one of its derivatives to wreak havoc. The IoT malware scans for telnet before attempting to hack into vulnerable devices, using a brute-force attack featuring 61 different user/password combinations, the various default settings of kit from various manufacturers. Up to 5m devices are up for grabs thanks to wide open management ports, according to some estimates.

Jean-Philippe Taggart, senior security researcher at Malwarebytes, said: "The leaked Mirai code, poorly secured remote administration on IoT devices, coupled with the recent availability of a Metasploit module to automate such attacks make for an ideal botnet recruitment campaign.

"So far, it seems the infection does not survive a reboot, but the malicious actors tend to disable access to the remote administration as part of the infection. This prevents the ISP from applying an update that would solve these issues. The botnet gains a longer life as users seldom reboot their routers unless they're experiencing a problem."

Other experts imply further attacks along the same lines are inevitable because the state of router security is poor and unlikely to improve any time soon.

Daniel Miessler, director of advisory services at IOActive, commented: "Recent attacks to Deutsche Telekom, TalkTalk and the UK Post Office will be felt by hundreds of thousands of broadband customers in Europe, but while the lights stay on and no one is in any real physical or financial danger, sadly nothing will change. IoT will remain fundamentally insecure.

"The current state of IoT security is in bad shape, and will get a whole lot worse before it gets any better. The Mirai botnet, which is powered by 100,000 IoT devices that are insecure by default, is just the most obvious and topical example." ®